Usage of Plasma 6’s Global Themes May Pose Serious Risks

A Reddit user reported that installing a specific global theme in KDE Plasma 6 erased all the information on their computer.

First and foremost – there is no need for unnecessary panic! If diving into the settings to download and install an external global theme isn’t your first move after getting the impressive Plasma 6 desktop environment set up, you’re in the clear. Secondly, it’s important to note that the KDE team is on top of the issue. Here’s the scoop.

А Reddit user alerted (for reference here and here) about a significant issue with Plasma 6. Installing a specific external global theme triggers the execution of “rm -rf /” in the background. This command, known for its simplicity yet potential for extensive damage, wipes all data on the drive, including any additional mounted drives.

If you haven’t set up a dependable backup solution, you might justifiably consider this one of the darkest days you’ve experienced. In other words, there’s a risk that all your valuable content, cherished digital memories, and work-related data could be lost forever. Okay, how is that possible?

Firstly, let’s reiterate that we’re talking about an external global theme – a comprehensive package that includes things like window decorations, plugins, icons, colors, etc. According to the information available, the issue does not stem from malicious code intentionally inserted into the theme.

Instead, it arises from a flaw between the combination of the Plasma 6 codebase concerning the desktop environment’s handling of global theme implementation and the specific theme itself.

Still, the Plasma theme at the center of these discussions, “Grey Layout,” has nearly four thousand downloads and was previously used in Plasma 5 without any issues. Anyway, the theme has been removed from the KDE Store.

KDE Plasma 6 - Add a Global Theme
KDE Plasma 6 – Add a Global Theme

This leads to one primary concern – the efficiency with which the KDE team curates and audits the quality of external resources complementing and expanding its features. It might be time to reconsider how third-party themes are offered for download on Plasma.

David Edmundson, KDE Software Engineer & Project Lead, has just released a statement on this matter, which you can view here.

A global theme on the kde third party store had an issue where it executed a script that removed user’s data. It wasn’t intended as malicious, but a mistake in some shell parsing. It was promptly identified and removed, but not before doing some damage to that user.

This has started a lot of discourse around the concept of the store, secuirty and upstream KDE.

The explanation is straightforward if you need clarification about how a theme could run system commands and erase your disk. When discussing Plasma 6 global themes, we’re not referring to the typical theme composed of a handful of CSS files, images, and some JavaScript that most would consider.

Instead, imagine the Plasma 6 theme as an application in its own right. It encompasses plugins with access to various system resources necessary for their functionality, including the capacity to execute system commands.

Essentially, anyone with the requisite tech skills can design a theme and share it on the KDE Store, triggering user issues whether by design or accident. It’s evident that significant improvements are necessary in how the KDE Store manages the quality and verification of third-party software, a move Flathub has already made.

Finally, we highly recommend that you hold off installing any global themes on your Plasma 6 desktop environment. There is no way to know at the moment whether another one will appear and cause a problem. Unfortunately, the only way to know is after it has already happened.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%